1. Field of the Invention
The present invention relates generally to a network system using Mobile Internet Protocol (IP), and in particular, to an apparatus and method for filtering packets in a network system using Mobile IP.
2. Description of the Related Art
Due to the progress of the Internet technology, there has been a rapid increase in the development of IP communication networks. In these IP communication networks, users and a particular server operate with their fixed addresses, or IP addresses, and routing is achieved based on the addresses.
Similarly, in the mobile communication system, several schemes have been proposed to provide more data to mobile terminals. The so-called Mobile IP concept of allocating IP addresses to mobile terminals has now been introduced as one of the proposed schemes. In Internet Engineering Task Force (IETF) concerned with Mobile IP, many discussions are being held and have now reached a stage of Mobile IPv6 (MIPv6). Mobile IP is classified into Mobile IPv4 and Mobile IPv6 technologies according to version of IP.
The IP communication network, though it started based on IP version 4 (v4), is developing into an IPv6-based network, an advanced network, for limitation of available IP resources, an increase in the number of users, and provisioning of various services. The most noticeable characteristic of IPv6 is that a length of IP address is extended from 32 bits to 128 bits, in preparation for a possible depletion of network addresses due to the rapid growth of the Internet industry.
IPv6, as its header region is extended, is allowed to designate a mechanism for source authentication of packets, and guarantee of data integrity and security.
In data transmission, this Mobile IP communication network can provide data without a change in the existing IP and/or disconnection of the access. However, since the standard for Mobile IP technology has been completed and applied to the commercial products up to now, use of the conventional packet filter rule cannot guarantee smooth data communication.
FIG. 1 illustrates a configuration of a network system using Mobile IP, provided for a description of an authentication process based on a Care-of Test Init (CoTI) message in a conventional Mobile Node (MN).
An MN 170 indicates a terminal for performing data communication. A Correspondent Node (CN) 110 indicates a counterpart node with which the MN 170 performs data communication.
A packet filtering apparatus 120, or FireWall (FW), prevents further extension of security accident and/or intimidation of networks on the Internet and isolates the networks. That is, the packet filtering apparatus 120 prevents unauthorized traffic influx from the exterior and permits only the authorized and authenticated traffic in order to protect an internal network from unreliable external networks. The packet filtering apparatus 120, in which a packet filter rule is stored, can be an access router.
In Mobile IPv6, even though the mobile node 170 having a home address (also known as Home of Address (HoA)) assigned in a home link region leaves the home link region and moves to a remote link region, it can communicate with the desired correspondent node 110 using a Care-of Address (CoA) assigned in the remote link region.
There are two possible methods in which a mobile node performs data communication with a correspondent node in a Mobile IP communication network.
A first method is a tunneling method in which the mobile node passes through a Home Agent (HA) between the mobile node and the correspondent node.
In FIG. 1, the correspondent node 110 is protected by a network to which the packet filter rule of the packet filtering apparatus 120 is applied. For communication with the correspondent node 110, the mobile node 170 initially performs communication via an HA 160, and in this communication process, the packet filter rule is stored in the packet filtering apparatus 120. When the mobile node 170 communicates with the correspondent node 110, the packet filtering apparatus 120 sets a home address of a mobile node as a source IP address and sets an address of a correspondent node as a destination IP address by means of a downlink packet filter. The ‘downlink’ herein indicates a communication route from the mobile node to the correspondent node. An uplink indicates a communication route from the correspondent node to the mobile node.
A second method is a direct communication method in which for optimization of a route, the mobile node 170 and the correspondent node 110 directly communicate with each other without passing through the HA 160.
In order for the mobile node 170 and the correspondent node 110 to directly communicate with each other without passing through the HA 160, the mobile node 170 attempts to authenticate the correspondent node 110 through a return routability process. The authentication attempt process is initiated by the mobile node 170 by sending a CoTI message shown in FIG. 1 to the correspondent node 110. However, the CoTI message uses a CoA as a source address because the mobile node 170 having a home address assigned in the home link region has vacated the home link region and moved to the remote link region. Therefore, as shown in FIG. 1, a packet is dropped by the packet filter rule in the packet filtering apparatus 120 before it is transmitted to the correspondent node 110. In this case, a source address should be a home address assigned by the packet filter rule in the home link region, but because it is a CoA, the packet filtering apparatus 120 recognizes a sender of the packet as a hacker or an attacker.
That is, even though the return routability process has been introduced to perform authentication, because a CoTI message, one of a plurality of return routability messages, is filtered and dropped in the packet filtering apparatus 120, the corresponding network has a low security level and thus can be exposed to potential hacking.
FIG. 2 illustrates a configuration of a network system using Mobile IP, provided for a description of an authentication process based on a Home Test Init (HoTI) message in a conventional mobile node.
In the Mobile IP communication network, for communication with a correspondent node 110, a mobile node 170 initially performs communication via an HA 160, and in this communication process, a packet filter rule is stored in a packet filtering apparatus 120. When the mobile node 170 performs communication with the correspondent node 110, the packet filtering apparatus 120 sets a home address of the mobile node 170 as a source IP address and sets an address of the correspondent node 110 as a destination IP address by means of a packet filter, and sets a protocol type to Transmission Control Protocol (TCP) or User Datagram Protocol (UDP).
In the communication method via the HA 160, due to the unreasonable routing problem, the mobile node 170 may wish to directly communicate with the correspondent node 110. In this case, the mobile node 170 attempts authentication through a return routability process, and this process is initiated by the mobile node 170 by sending an HoTI message to the correspondent node 110 via the HA 160. Because the HoTI message is sent via the HA 160, the source address includes the home address, solving the problem in FIG. 1.
However, there is a function of checking a header type by means of the packet filter rule in the packet filtering apparatus 120, and because the header type is output from the IPv6 network, the packet filtering apparatus 120 actually recognizes the packet as an IPv6 packet. However, in the IPv6 network, because the protocol type is transmitted using a Mobility header, the HoTI message is dropped by the packet filter rule in the packet filtering apparatus 120 before it is transmitted to the correspondent node 110, as shown in FIG. 2. That is, when the Next header is a Mobility header in the current packet filter rule, the packet filtering apparatus 120 checks only the header type, so that it drops the packet as it has failed to read the Mobility header.